Support for vsftpd Login Failures

14 posts Page 1 of 2
Riatsala
Junior Member
Posts: 3
Joined: 27 May 2008, 10:50


I've had thousands of vsftpd login failures in the last few weeks. It would be great to be able to block the offending IPs.

Here's a few lines from /var/log/messages
Code: Select all
May  1 12:43:17 vps vsftpd(pam_unix)[11377]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=72.232.10.66  user=mysql

May 11 00:39:10 vps vsftpd(pam_unix)[22388]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160

May 25 19:59:54 vps vsftpd(pam_unix)[17806]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=65.204.255.101

If blocking these could be added to a future lfd update, I'd really appreciate it!

All the best,
Riatsala

 

chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13


I'll look at adding these to regex.pm

 

Riatsala
Junior Member
Posts: 3
Joined: 27 May 2008, 10:50


Thanks chirpy. :)

 

Riatsala
Junior Member
Posts: 3
Joined: 27 May 2008, 10:50


Thanks for including this in the latest update. It's blocked a couple of IPs already! :)

I have noticed something strange while browsing the logs. It appears there are actually two types of attack, and only one is getting blocked.

Those who use a legitimate username but wrong password generate a single line in /var/log/messages like the one's above, and these are blocked perfectly.

Those who use an invalid username generate two lines in the log for each attempt, and for some reason they are ignored by lfd.
Code: Select all
May 29 05:02:38 vps vsftpd(pam_unix)[5398]: check pass; user unknown
May 29 05:02:38 vps vsftpd(pam_unix)[5398]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 
May 29 05:02:46 vps vsftpd(pam_unix)[5442]: check pass; user unknown
May 29 05:02:46 vps vsftpd(pam_unix)[5442]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 
May 29 05:02:50 vps vsftpd(pam_unix)[5463]: check pass; user unknown
May 29 05:02:50 vps vsftpd(pam_unix)[5463]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 
The second line is exactly the same format as those above, which is why I'm surprised lfd doesn't block it.

People trying to log in with an invalid username isn't much of a threat, so this isn't important, but I am curious to know why these attempts don't get blocked.

All the best,
Riatsala

 

chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13


I'll check the regex and make sure those are blocked too.

 

Com4
Junior Member
Posts: 2
Joined: 24 Aug 2009, 17:33


Hi,

I've had thousands of vsftpd login failures the last couple of days and it seems that CSF is not blokking them:

vsftpd:
Unknown Entries:
check pass; user unknown: 2289 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator

**Unmatched Entries**
vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user

I could not find anything about this exept for this topic.

Any help in this case would be appreciated.

Thanks,

Dave

 

chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13


You need to post the actual login failure log lines that you've configured lfd to scan.

 

Sander
Junior Member
Posts: 1
Joined: 16 Jan 2010, 22:17


Hi,

I have the same issues.

Several thousand lines in the secure log file like:

May 29 05:02:38 vps vsftpd(pam_unix)[5398]: check pass; user unknown
May 29 05:02:38 vps vsftpd(pam_unix)[5398]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160

Can you tell me what you mean with:

"You need to post the actual login failure log lines that you've configured lfd to scan"

Thanks,

Sander

 

chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13


That's the line I need. That particular one isn't picked up by the regex at present. I'll add it to the dev list.

 

Com4
Junior Member
Posts: 2
Joined: 24 Aug 2009, 17:33


Hi,

The exact log lines are like this:

Jan 30 03:04:39 serv222 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user anonymous
Jan 30 03:05:10 serv222 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Jan 30 03:05:10 serv222 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=s5593f547.ad


Beside that vsftpd is using the /var/log/secure file to log these errors and not the
default /var/log/messages file that is configured in the csf config file

Thanks,

Dave
14 posts Page 1 of 2